Talos Vulnerability Report

TALOS-2016-0094

7zip UDF CInArchive::ReadFileItem Code Execution Vulnerability

May 10, 2016

CVE Number

Summary

An out of bound read vulnerability exists in the CInArchive::ReadFileItem method functionality of 7zip for handling UDF files that can lead to denial of service or code execution.

Tested Versions

7-Zip [32] 15.05 beta
7-Zip [64] 9.20

Product URLs

http://www.7-zip.org/

Details

CInArchive::ReadFileItem method to achieve proper information about file/directory location on particular partition use inter alia the following information:
Partition Map and Long Allocation Descriptor [2.3.10.1 Long Allocation Descriptor].
Because volumes can have more than one partition map their objects are keep in object vector. To start looking for item, method tries to achieve proper partition object
using to this mentioned partition maps object vector and "PartitionRef" field from Long Allocation Descriptor. Lack of checking whether "PartitionRef" field
is bigger than available amount of partition map objects cause read out of bounds and can lead in some circumstances to arbitrary code execution.

Vulnerability can be triggered for any entry contains malformed long allocation descriptor but
in this example we will focus on File set RootDirICB [2.3.2 File Set Descriptor].

As you can see in above code in lines 898-905 search for elements on particular volume and file set starts based on RootDirICB Long Allocation Descriptor
and that record we will try to malformed for our purpose.
Vulnerability appears in line 392 when PartitionRef field exceed number of elements in ParitionMaps vector.
Let we check how many PartitionMaps contains our PoC: